Breaking down
RTC security
A blog about vulnerabilities and attacks affecting VoIP and WebRTC applications and infrastructure by Enable Security.
Read our newsletter
OpenSIPS Security Audit Report is fully disclosed and out there
Published on Mar 17, 2023 in sip security, sipvicious pro, sip security testing, security tools, opensips, kamailio, fuzzing, denial of service, research
It’s almost a year since the OpenSIPS project published a minimized version of our security audit report from 2022. Now, the full version has been published, with all the information intact on how to reproduce the vulnerabilities and extra details in an 80+ page report. The OpenSIPS security audit report can be found here. What is the OpenSIPS security audit? OpenSIPS is a SIP server that often has a critical security function within an IP communications system.…
Read more »SIPVicious PRO incremental update - and Gitlab CI/CD examples
Published on Mar 7, 2023 in sip security, sipvicious pro, sip security testing, sipvicious releases, devops, security tools
We just pushed out a new SIPVicious PRO update to our subscribing members! This version does not include any new major features. Instead, it fixes various bugs and brings missing but necessary features to various SIPVicious PRO tools. We have the following highlights in this update: Documentation now includes realistic Gitlab CI/CD examples The RTP fuzzer in the experimental version now supports SRTP Support for new SIP DoS flood request methods The RTP inject tool can now specify the RTP’s SSRC and payload ID The SIP password cracking tool now supports closing the connection upon each attempt The SIP ping utility supports INVITE For the boring details, including a list of bug fixes, do read the release notes for v6.…
Read more »Kamailio’s exec module considered harmful
Executive summary (TL;DR) The combination of pseudo-variables and Kamailio’s exec can be risky and may result in code injection. By using special SIP headers and environment variables, it becomes effortless to exploit a vulnerable configuration. We have created a Docker environment to assist readers in reproducing this vulnerability and testing solutions. Protection is tricky and the official documentation may have previously misled developers - we aim to fix that by updating the module’s official documentation.…
Read more »
Sandro Gauci, Enable Security
How to perform a DDoS attack simulation
Last updated on Nov 29, 2022
TL;DR A DDoS simulation is a practical exercise that various organisations are capable of doing. Understand the reasons why you would want to do this, then combine custom with off-the-shelf attack tools. Follow the best practices, apply solutions and mitigation; and you can finally answer: what if we got attacked? Introduction In this post, we give an overview of how you too can perform your own distributed denial of service (DDoS) simulation exercises.…
Read more »Sandro Gauci, Enable Security
Exploiting CVE-2022-0778, a bug in OpenSSL vis-à-vis WebRTC platforms
Last updated on Apr 8, 2022 in denial of service, demo server, freeswitch, asterisk, webrtc security, kamailio, sipvicious pro
Executive summary (TL;DR) Exploiting CVE-2022-0778 in a WebRTC context requires that you get a few things right first. But once that is sorted, DoS (in RTC) is the new RCE! How I got social engineered into looking at CVE-2022-0778 A few days ago, Philipp Hancke, self-proclaimed purveyor of the dark side of WebRTC, messaged me privately with a very simple question: “are you offering a DTLS scanner by chance?” He explained how in the context of WebRTC it would be a bit difficult since you need to get signaling right, ICE (that dance with STUN and other funny things) and finally, you get to do your DTLS scans.…
Read more »Sandro Gauci, Enable Security
Killing bugs … one vulnerability report at a time
Last updated on Oct 29, 2021 in freeswitch, voip security, conferences, denial of service, sipvicious pro
Executive summary (TL;DR) We tell the story behind the latest FreeSWITCH advisories and how it all came together one sleepless night in April 2021 so that we ended up with 4 vulnerabilities that needed reporting. And then, one more vulnerability found due to a bug in our own software, SIPVicious PRO. We explain how these flaws were discovered, reported, fixed and what we ultimately learned through this process. What is this about?…
Read more »Kamailio’s exec module considered harmful
Executive summary (TL;DR) The combination of pseudo-variables and Kamailio’s exec can be risky and may result in code injection. By using special SIP headers and environment variables, it becomes effortless to exploit a vulnerable configuration. We have created a Docker environment to assist readers in reproducing this vulnerability and testing solutions. Protection is tricky and the official documentation may have previously misled developers - we aim to fix that by updating the module’s official documentation.…
Read more »Abusing SIP for Cross-Site Scripting? Most definitely!
Last updated on Jun 10, 2021 in sip security, voip security, application security
Executive summary (TL;DR) SIP can be used as an attack vector for AppSec vulnerabilities such as cross-site scripting (XSS), potentially leading to unauthenticated remote compromise of critical systems. VoIPmonitor GUI had one such vulnerability which highlights this attack vector exceptionally well. The following writeup explores how persistent backdoor administrative access can be obtained by sending malicious SIP messages. This vulnerability was reported by Enable Security and fixed in VoIPmonitor GUI back in February 2021, using standard cross-site scripting protection mechanisms.…
Read more »Attacking a real VoIP System with SIPVicious OSS
Last updated on Jun 8, 2020 in sipvicious oss, security tools, sip security
Recently, we put out a target server on the Internet at demo.sipvicious.pro which hosts a Kamailio Server handling SIP over UDP, TCP, TLS as well as WebSockets. Behind that, the observant reader will soon discover that an Asterisk server handles the voicemail and echo services. This is actually a fully functioning (real) VoIP system that’s ready to be attacked. Therefore, in combination, these software packages allow us to reproduce a number of common security vulnerabilities affecting VoIP and WebRTC systems.…
Read more »Sandro Gauci, Enable Security
Jitsi Meet on Docker default passwords - how bad is it, how to detect and fix it
Last updated on Apr 20, 2020 in xmpp security, jitsi meet, research, webrtc security, default passwords
Executive summary (TL;DR) Jitsi Meet on Docker contained default passwords for important users, which could be abused to run administrative XMPP commands, including shutting down the server, changing the administrative password and loading Prosody modules. We also provide instructions on how to check for this issue if you administer a Jitsi Meet server. Background story A few days ago we noticed a tweet by @joernchen mentioning something that sounded familiar, Jitsi.…
Read more »